is GDPR compliant and you need to be so too

All processes have been mapped out

GDRP processor-controller contract has been prepared

Server security has been hardened even further

All staff that comes near any personal information needs to show clean criminal records and sign Non-disclosure agreements

Privacy policy has been made in much more details

Terms & conditions have been changed

All suppliers have been scrutinised and some have been dropped just for security’s sake

Back up procedures have been changed to minimize personal information storage for deleted systems

There have also been done various system changes to make our user’s more compliant with GDPR regulations. There are both changes that make the security enhanced so that our users are better protected in case someone gets hold of their equipment, and changes so that user’s permission for client’s data and communication is more clear.

4 custom features are now available free for all

Double authentication module

for enhanced login security into systems. It is very important that users embrace this quickly as the most likely cause of data breach is probably that someone gets hold of equipment virtually or in reality that enables them access to the system and the data.

Delete history module

that enables users to set how long data is needed to be kept on data subjects that have made bookings within the system. If you do not need to keep the data, then this tool is great to auto delete data after for example 30 days(depends on user settings) since booking is completed. If users have set up client login, use membership etc, then this module should not be used.

Terms & Conditions module

where users can set their own T&C along with Privacy policy where they detail in human readable language (not in some legal blah) how they plan to use the data

Cancellation policy module

where users can detail how their cancellation policy is enforced

From admin interface there is now access to 3 groups of personal data

Company info

usually available on the internet for all to see

System users info

(the ones who provide the service) usually available on the internet for all to see so clients can choose them to book

Client info

never available on the internet for other than system users to see

Each of these groups has an easy to use interface where every single bit of information stored in the system is printed on the screen, or can be exported into a structured JSON report. Additionally, upon request, all client details can be deleted with the use of a simple button. These records can only be accessed by users after simple authentication procedure by re-entering the password. If they have double authentication, they will be asked for a verification code to get access. As client data is often part of statistical information about sales and bookings, the data is not all deleted but made completely unrecognisable but still kept usable for stats. This is very important.

No direct access for support team

Upon activation of double authentication, the does not have any access to the user’s system which can be bad if you need quick assistance but also enhances security. Although all of staff that can come in contact with personal information have clean criminal records and have signed an NDA, access now becomes restricted and the only way for them to gain access is if the user gives them temporary code so they can help them out with settings if needed.

One of the most delicate information in the system are patient details, and these are usually stored in a component called SOAP. The SOAP component has now been enhanced to be encoded at rest so that no one can have access to this information, even if they break in to the user’s system, or even into servers UNLESS they have the secret key. This key can be kept on an USB drive, or in a computer’s folder. It is never stored on servers. Just make sure that the computer is well protected, so that if it is stolen, thieves would not have easy access to the hard disk. Same applies to the USB drive, this can also be encrypted with a code that only you remember.

All emails have unsubscribe links but this has now also been added to the promotions emails so clients that have unsubscribed from getting these messages will not be receiving them. This has though fortunately not been a problem as clients are generally happy to receive promotions from their favorite providers.

For users that want to harden security even more, there is the HIPAA feature that can be enabled for Standard and Premium subscriptions. This feature allows users to set automatic system log out after predefined time, like 20 minutes after system was being used. It also allows users to get notifications upon each login into the system. Furthermore, this feature disables personal data to be sent over email or SMS, it removes client’s and service names from these notifications, making it harder for snoopers to see personal data.

It is also recommended for users to harden the security on mobile devices using long passwords, and automatic deletion of phone data when there are several wrong passwords attempts. This will avoid thieves getting hold of double-authentication access code.

All users should set auto screen lock to decrease the risk of snooping from people that may be browsing the workplace. Here is a link that describes how this can be done on Windows based computers.

Here is a link to good article from PayPal about how GDPR affects anyone handling personal data from subjects in EU, and what steps to take.

Remember that your are responsible for the privacy policy towards your own clients and no one can make this for you, as this is something you decide. Make it in a clear concise manner so that your clients understand how you plan to treat their data and explain what measures you take to make their data safe.

Here is a good article with some of the main points that need to be addressed in your privacy policy which you will include in your terms & conditions that clients agree to before making a booking or becoming a member or a user in your system. You should also make a link to the privacy policy of where it details how we process the subjects data on your behalf, and what transfers take place. The policy can be found here.